2024-08-12 10:50:16 +00:00
|
|
|
from models import RuleCheckResult
|
2024-08-05 02:30:34 +00:00
|
|
|
import boto3
|
|
|
|
|
|
|
|
|
|
|
2024-08-12 02:20:13 +00:00
|
|
|
build_client = boto3.client("codebuild")
|
|
|
|
|
|
|
|
|
|
deploy_client = boto3.client("codedeploy")
|
2024-08-05 02:30:34 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def codebuild_project_environment_privileged_check():
|
2024-08-12 02:20:13 +00:00
|
|
|
compliant_resources = []
|
|
|
|
|
non_compliant_resources = []
|
|
|
|
|
projects = build_client.list_projects()["projects"]
|
|
|
|
|
|
|
|
|
|
for project in projects:
|
|
|
|
|
project = build_client.batch_get_projects(names=[project])["projects"][0]
|
|
|
|
|
|
2024-08-12 10:50:36 +00:00
|
|
|
if not project["environment"]["privilegedMode"]:
|
2024-08-12 02:20:13 +00:00
|
|
|
compliant_resources.append(project["arn"])
|
|
|
|
|
else:
|
|
|
|
|
non_compliant_resources.append(project["arn"])
|
|
|
|
|
|
2024-08-05 02:30:34 +00:00
|
|
|
return RuleCheckResult(
|
2024-08-12 02:20:13 +00:00
|
|
|
passed=not non_compliant_resources,
|
|
|
|
|
compliant_resources=compliant_resources,
|
|
|
|
|
non_compliant_resources=non_compliant_resources,
|
2024-08-05 02:30:34 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def codebuild_project_logging_enabled():
|
2024-08-12 02:20:13 +00:00
|
|
|
compliant_resources = []
|
|
|
|
|
non_compliant_resources = []
|
|
|
|
|
projects = build_client.list_projects()["projects"]
|
|
|
|
|
|
|
|
|
|
for project in projects:
|
|
|
|
|
project = build_client.batch_get_projects(names=[project])["projects"][0]
|
|
|
|
|
logs_config = project["logsConfig"]
|
|
|
|
|
|
|
|
|
|
if logs_config["cloudWatchLogs"]["status"] == "ENABLED" or logs_config["s3Logs"]["status"] == "ENABLED":
|
|
|
|
|
compliant_resources.append(project["arn"])
|
|
|
|
|
else:
|
|
|
|
|
non_compliant_resources.append(project["arn"])
|
|
|
|
|
|
2024-08-05 02:30:34 +00:00
|
|
|
return RuleCheckResult(
|
2024-08-12 02:20:13 +00:00
|
|
|
passed=not non_compliant_resources,
|
|
|
|
|
compliant_resources=compliant_resources,
|
|
|
|
|
non_compliant_resources=non_compliant_resources,
|
2024-08-05 02:30:34 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def codedeploy_auto_rollback_monitor_enabled():
|
2024-08-12 02:20:13 +00:00
|
|
|
compliant_resources = []
|
|
|
|
|
non_compliant_resources = []
|
|
|
|
|
applications = deploy_client.list_applications()["applications"]
|
|
|
|
|
|
|
|
|
|
for application in applications:
|
|
|
|
|
deployment_groups = deploy_client.list_deployment_groups(applicationName=application)["deploymentGroups"]
|
|
|
|
|
for deployment_group in deployment_groups:
|
|
|
|
|
deployment_group = deploy_client.get_deployment_group(
|
|
|
|
|
applicationName=application, deploymentGroupName=deployment_group
|
|
|
|
|
)["deploymentGroupInfo"]
|
|
|
|
|
|
|
|
|
|
if (
|
2024-08-12 10:50:36 +00:00
|
|
|
deployment_group["alarmConfiguration"]["enabled"]
|
|
|
|
|
and deployment_group["autoRollbackConfiguration"]["enabled"]
|
2024-08-12 02:20:13 +00:00
|
|
|
):
|
|
|
|
|
compliant_resources.append(deployment_group["deploymentGroupId"])
|
|
|
|
|
else:
|
|
|
|
|
non_compliant_resources.append(deployment_group["deploymentGroupId"])
|
|
|
|
|
|
2024-08-05 02:30:34 +00:00
|
|
|
return RuleCheckResult(
|
2024-08-12 02:20:13 +00:00
|
|
|
passed=not non_compliant_resources,
|
|
|
|
|
compliant_resources=compliant_resources,
|
|
|
|
|
non_compliant_resources=non_compliant_resources,
|
2024-08-05 02:30:34 +00:00
|
|
|
)
|
